Shopify's app store has dozens of cookie consent apps, but not every merchant wants another monthly subscription or an app that slows their theme. You can add a basic cookie banner to Shopify without an app by editing your theme code. However, understand the trade-offs: manual implementations often lack proper script blocking, which is the hardest part of GDPR compliance.
What You Can Do Without an App
A no-app approach typically involves adding HTML, CSS, and JavaScript to your theme's layout file. You can display a banner, store consent in localStorage or a cookie, and conditionally load scripts based on the user's choice. This works for simple stores with few tracking tools and a developer comfortable editing Liquid templates.
- Display a consent banner on first visit
- Store accept/reject preferences in the browser
- Show or hide third-party scripts based on consent
- Link to your cookie policy and privacy policy
- Provide a footer link to reopen consent settings
Step-by-Step: Adding Banner Code to Your Theme
- Go to Online Store → Themes → Edit code in your Shopify admin
- Open theme.liquid in the Layout folder
- Add your banner HTML before the closing body tag
- Include CSS for positioning—typically a fixed bar at the bottom
- Write JavaScript to check for existing consent and show the banner if none exists
- Wrap Google Analytics, Meta Pixel, and other scripts in conditional blocks that check consent
- Test in an incognito window by accepting and rejecting cookies
Important limitation
Scripts added through Shopify's Customer Events, app embeds, or Online Store 2.0 app blocks may load before your theme JavaScript runs. You cannot easily block these without a dedicated consent tool or app.
The Script Blocking Challenge
GDPR requires that non-essential cookies are not placed before consent. Many Shopify stores have tracking code in multiple places: theme.liquid, additional scripts in Settings → Customer events, Google & YouTube channel, Facebook channel, and various app embeds. A theme-only banner cannot block scripts injected by apps or Shopify's native channel integrations.
Where tracking code hides in Shopify
- Settings → Customer events (Shopify's native pixel and analytics)
- Sales channels → Google & YouTube and Facebook integrations
- App embeds enabled in the theme customizer
- Custom Liquid blocks added to sections
- Checkout extensibility apps that load on thank-you pages
Using Shopify's Customer Privacy API
Shopify provides a Customer Privacy API that apps and themes can use to read consent preferences. If you build a custom banner, integrate with this API so it works alongside Shopify's built-in data sale opt-out for US states. Check Shopify's developer documentation for the current API version and consent signal format.
When a No-App Approach Falls Short
Consider a dedicated solution instead of DIY code if your store uses multiple marketing pixels, Shopify's native Google/Facebook channels, consent logging for audits, geo-targeting for EU vs. US visitors, or Google Consent Mode v2. The time you spend maintaining custom code often exceeds the cost of a compliance platform.
A Better Middle Ground
StoreComply installs with a lightweight script in your theme head. It provides hosted policies, a consent banner, Google Consent Mode v2, and copy-paste snippets so Google Analytics and Meta Pixel load only after visitors accept. Shopify app embeds and sales-channel pixels may still need separate configuration.
Testing Your Implementation
After deploying your banner, open Chrome DevTools → Application → Cookies. Load your store in incognito mode and reject all cookies. Verify that _ga, _gid, _fbp, and other tracking cookies do not appear. Check the Network tab for requests to analytics and ad domains. Repeat after accepting each category to confirm selective loading works.